Oracle Blog

The first Internet Identity Provider for Social Networks?

I received this newswire story about a new company called safeTspace that claims to provide the kind of identity and age verification service that I blogged about a few weeks ago. Aimed at social-networking sites like MySpace, it combines an in-person registration process with biometric authentication to offer an unprecedented level of security for users. The mission statement looked promising:

The company's proprietary technology keeps
unwanted adults out of social- networking sites by verifying each
user's identity with fingerprint technology backed by in-person
registration. In addition to identity and age verification, the
safeTspace process obtains parental consent for users under 18 years
old. The technology protects the child - and not the computer -
allowing them to log on and be protected at any computer.

Very Interesting!Intrigued, I headed over to their website to find out more. In their initial rollout, safeTspace is only dealing with social-networking sites for children, so it essentially is trying to ensure that you know who is an adult and who is a child (and not an adult posing as a child), thereby restricting access to child-only services and chat rooms. The verification process essentially involves an adult parent going online, creating an account with all their personal information (name, DOB, gender, address, ...) and providing the information of their children that they want to register. They will receive an invitation letter that the child takes to school along with one form of identification. The child's identity is verified and they have their fingerprint taken by a safeTspace representative (usually a safeTspace certified teacher), and their account is activated. From that point on, they can access child-friendly social-networking sites by first logging into safeTspace using their account id, password and fingerprint. The site then sends them to the unlocked member site. The safeTspace website optimistically says:

The only hardware required is a lowcost fingerprint ID reader. Registered
children simply login to safeTspace by entering their ID, password and
fingerprint. Once there, they can access a wide variety of child-only
content and chat, IM and explore with complete freedom.

My ThoughtsThis is obviously one of the first attempts to create a sort of internet identity provider, even if it seems to operate on the Web SSO principle more than the identity-as-a-service principle.

It incorporates one of the key elements to making identity verification possible. It uses an in-person process, which is the only way to truly verify someone's identity (never ask a computer to do a human's job). It also brings in a ubiquitous institution - schools - into the process (in my post on identity verification I had singled out banks as the institution of choice).

The biggest hole seems to be its reliance on biometric authentication. While this ensures that an adult will not log in with a child's account (actually, I think determined people will find a way around that, but it's better than nothing), it imposes a burden that I don't think the user community is ready for. Social networking sites today have tens of millions of users, know no global boundaries, are accessed on all manner of devices (cellphones, communicators, public internet terminals) and are free. All of which do not jive with fingerprint based authentication.

First off, I don't see schools in developing countries (some of which have the most active children communities) being able to get online with this program soon.

Those same children may not be able to afford the fingerprint reader this scheme needs. The site FAQ states: the cost will depend on the content provider providing the technology, but the general price is around $30 per year -
less than the cost of one cup of premium coffee a month. Yeah, here in the US maybe, but in China, India or Thailand?

Also, how this is supposed to work when kids are increasingly using cellphones to blog, photoblog, chat, IM and twitter on social-networking sites leaves a gaping hole in the story. The FAQ does state that the technology works with mobile devices, but offers no specifics.

It's an interesting challenge. Technologies like CardSpace and OpenID promise user-centric identity selectors, but impose no requirements on authentication done to get access to the Identity Cards. Security is only as strong as the weakest link, and the reliance on a PIN to access an Identity Card seems to be the weak link. I for one will be interested in seeing how safeTspace does in the market. What do you think?

Any system which relies on poorly paid (think TSA) part-time workers as the validation point is simply asking for exploitation. Consider the number of sex offender charges lodged against teachers in just the past year or two. Consider how tempting it would be to sell access for an extra $50 or so.
This is a system just waiting for a scandal.

Thanks, Nishant for seeing the value in the safeTspace product and process. In-person identity verification forms the basis for all sorts of internet identity services , such as enabling the hard-sought internet driver's license. Services that rely on an identity provider who can issue strongly authenticated licenses will finally begin to evolve , while biometrics adds a second factor of safety to the equation and can be applied to all sorts of identity services. You ask several very good questions in your response that we'd like to address:
You are correct � schools and organizations around the world have varying facilities and organizational strength to do this. The use of schools is just one major way of approaching this, particularily in the U .S. We'll be making other partner announcements at our blog, http://www.4syndication.com/safetblog/99/f.do
Fingerprint adoption is very prevalent in many countries around the world, e.g. drivers' licenses in Brazil, cell phones in Japan. Other biometrics have commoditized in other areas. The use of facial recognition on cell phones and in countries prohibiting fingerprints allows a service of this type to be more ubiquitous.